-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buildctl ignores buildkitd.toml #2044
Comments
|
Ok, but that still doesn't answer why there is a
To simplify my question. How do I tell buildctl to use the registry defined in buildkitd.toml when building against a host that has the buildkitd.toml? |
Like I said before. Registry configuration is based on the buildkitd daemon, not buildctl or any other client making the call to the daemon. It is loaded when buildkitd starts and then all requests by any client to that daemon follow that registry configuration. |
First I must apologize. But there seem to have been a problem with my registry that caused the error
So is this still a question or a bug? I'm super confused. |
It seems to be a bug in rootless mode as this works when I run in priveleged mode. |
can you write down the steps that work and ones that do not. I wonder if the config file is not just readable for the rootless user. Might need to chown it to user 1000, FYI @AkihiroSuda |
Something like this buildkit.yaml (working) apiVersion: apps/v1
kind: Deployment
metadata:
name: buildkit
namespace: buildkit
labels:
app: buildkit
rootless: "false"
runtime: docker
worker: runc
annotations:
buildkit.mobyproject.org/builder: 0.1.3
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
selector:
matchLabels:
app: buildkit
rootless: "false"
runtime: docker
worker: runc
template:
metadata:
labels:
app: buildkit
rootless: "false"
runtime: docker
worker: runc
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: buildkit
rootless: "false"
runtime: docker
worker: runc
topologyKey: kubernetes.io/hostname
imagePullSecrets:
- name: dockerhub
containers:
- name: buildkitd
image: moby/buildkit:v0.8.2
resources:
limits:
cpu: "2"
requests:
cpu: 100m
volumeMounts:
- mountPath: /etc/buildkit/
name: buildkitd-config
- mountPath: /run/docker.sock
name: docker-sock
readinessProbe:
exec:
command:
- buildctl
- debug
- workers
initialDelaySeconds: 5
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
exec:
command:
- buildctl
- debug
- workers
initialDelaySeconds: 5
periodSeconds: 30
securityContext:
privileged: true
volumes:
- configMap:
defaultMode: 420
name: buildkit
name: buildkitd-config
- hostPath:
path: /var/run/docker.sock
type: Socket
name: docker-sock
restartPolicy: Always
terminationGracePeriodSeconds: 30 buildkit-rootless.yaml (not working) apiVersion: apps/v1
kind: Deployment
metadata:
name: buildkit
namespace: buildkit
labels:
app: buildkit
rootless: "true"
runtime: docker
worker: runc
annotations:
buildkit.mobyproject.org/builder: 0.1.3
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
selector:
matchLabels:
app: buildkit
rootless: "true"
runtime: docker
worker: runc
template:
metadata:
labels:
app: buildkit
rootless: "true"
runtime: docker
worker: runc
annotations:
container.apparmor.security.beta.kubernetes.io/buildkitd: unconfined
container.seccomp.security.alpha.kubernetes.io/buildkitd: unconfined
spec:
imagePullSecrets:
- name: dockerhub
containers:
- name: buildkitd
image: moby/buildkit:v0.8.2-rootless
args:
- --oci-worker-no-process-sandbox
- --rootless
resources:
limits:
cpu: "2"
requests:
cpu: 100m
volumeMounts:
- mountPath: /etc/buildkit/
name: buildkitd-config
readinessProbe:
exec:
command:
- buildctl
- debug
- workers
initialDelaySeconds: 5
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
livenessProbe:
exec:
command:
- buildctl
- debug
- workers
initialDelaySeconds: 5
periodSeconds: 30
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumes:
- configMap:
defaultMode: 420
name: buildkit
name: buildkitd-config
restartPolicy: Always
terminationGracePeriodSeconds: 30 buildkit-cfg.yaml (buildkitd.toml for buildkitd) apiVersion: v1
kind: ConfigMap
metadata:
namespace: buildkit
name: buildkit
data:
buildkitd.toml: |
debug = false
[worker.containerd]
namespace = "buildkit"
[registry."registry:5000"]
http = true
insecure = true I can also add that when running rootless I am still able to exec into the container and read /etc/buildkit/buildkitd.toml with out any permission problems. |
The config path is |
Does the pod spec.containers.volumeMounts.mountPath support tilde(~)? Not sure it does.. |
@AkihiroSuda I guess we should add |
Ah, mixed up the repository (thought this was buildx). I guess we can close this then. @Raboo the user in the rootless image is called "user". |
@tonistiigi So I should put the config in /home/user/.config/buildkit/config.toml for rootless mode? This should probably be documented. |
putting the configuration in |
If you are building on top of the job.rootless.yaml template then you can add That worked for me. |
Works well in the Argo workflows. Now I can use buildkit to pull and push images to an insecure image registry. See also https://github.com/devops-ws/argo-workflows-guide |
closing, the acceptable workaround is to use the config argument and then volume mount the file to the same path.
or whatever path you want to use. |
I'm running into this issue even with the config available and explicitly defined:
The /etc/buildkit/buildkit.toml looks like this:
The CA certificate is baked into the image defined in the driver-opt at that specified location. I tried updating the local trust store via update-ca-certificates and validated that the cert was there, but that didn't work. So that is why I directly pointed to the CA location like this. The buildkit container shows the process running with the config file:
However, when I attempt to build and push an image via this command: I receive the following error message:
When I look in the logs for the pod, I notice the following:
I am using the buildkit 0.17.3 image. I noticed the first block in the trace shows a 0.19.1-1 image -- I have not specified that image anywhere. Why is it being pulled? I have a feeling that whatever is causing this image to be pulled and used is causing the issues with CA trust. |
Hi
So I'm trying to build a image in a k8s hosted buildkit, cache and push it to a local unsecured http registry resolvable via
registry
.I have a buildkitd.toml like this:
And when I run
buildctl --addr kube-pod://buildkitd-0?namespace=buildkit build --frontend dockerfile.v0 \ --export-cache type=registry,mode=max,ref=registry:5000/hello-kubernetes:cache \ --import-cache type=registry,ref=registry:5000/hello-kubernetes:cache \ --output type=image,name=registry:5000/hello-kubernetes:latest,push=true \ --local context=./app --local dockerfile=.
It fails
So the problem here is that it is using https.
I don't understand. I clearly have a configuration that says it's http (not https) and insecure. So why bother having a configuration file if buildctl just tells buildkitd to ignore the configuration? How do I make buildctl use the registry that is provided in buildkitd.toml?
The text was updated successfully, but these errors were encountered: